I would strongly advise that people backup their router config before executing *any* of the above:

Originally Posted by unlokia

I second this ^^^ As the Manufacturer mode of the firmware runs telnetd on startup, and is insecure, it may even be accessible from outside the LAN!

I couldn't get the serial to drop into root at first, but without your hidden admin links and the flash choices obtained from interrupting the boot process I wouldnt have found the TR69 stuff which I saw in the boot messages from the serial.

One thing I find, is that when I did the custom username over telnet, and committed it to flash, once I had entered reboot, and after it rebooted, the web UI login was STILL at the manufacturer default, and the WiFi name was still "wlan" and an open network...

So how does one go back the web UI with *my* login, as on the label, without a full reset?

One thing I find, is that when I did the custom username over telnet, and committed it to flash, once I had entered reboot, and after it rebooted, the web UI login was STILL at the manufacturer default, and the WiFi name was still "wlan" and an open network...

So how does one go back the web UI with *my* login, as on the label, without a full reset?

Thanks

Originally Posted by unlokia

I wonder if these are special because as you discovered they are changeable in the settings before the boot process, well the SSID is.

I need to spend more time playing with it tbh. I have since changed the password to the webUI, I think i just did that through either the webUI or the pre-boot options aforementioned.

That is absolutely awesome, well done. I've been following the thread for a while but I didn't fancy getting my hands dirty with the hardware. Now there's a soft way in, I'm going to try it tonight once my kids have gone to bed so I don't interrupt their streaming!

I installed the squashFS tools but can't get unsquash command to extract these with LZMA compression, It's frustrating as I know this would probably be easy for somebody that has experience with embedded linux / firmware hacking.

The problem is This processor is very hard to find kernel drivers for, if I could I would put an open-WRT install built for this processor on USB and try get the BB to boot from that or feed it to it via TFTP, as you can set a remote boot in the pre-boot settings.

The problem is This processor is very hard to find kernel drivers for, if I could I would put an open-WRT install built for this processor on USB and try get the BB to boot from that or feed it to it via TFTP, as you can set a remote boot in the pre-boot settings.

Originally Posted by whitenight639

The processor is the same as the Netgear DGN2200v2 and the D-LINK DSL-2641B. The latter has a toolchain in its latest firmware revision (including gcc-4.4.2). Unfortunately, many of the drivers are closed source, including the ADSL driver, ethernet driver and others. Nobody successfully ported OpenWRT to the DGN2200v2 either.

That all being said, couldn't we use the pre-compiled binaries from the original firmware for OpenWRT? I realise we won't be able to distribute an OpenWRT firmware for the device with them bundled, but it would be a half-solution if we could get something working.

The processor is the same as the Netgear DGN2200v2 and the D-LINK DSL-2641B. The latter has a toolchain in its latest firmware revision (including gcc-4.4.2). Unfortunately, many of the drivers are closed source, including the ADSL driver, ethernet driver and others. Nobody successfully ported OpenWRT to the DGN2200v2 either.

That all being said, couldn't we use the pre-compiled binaries from the original firmware for OpenWRT? I realise we won't be able to distribute an OpenWRT firmware for the device with them bundled, but it would be a half-solution if we could get something working.

Originally Posted by darth_stroyer

Thats a great idea, lets do it, I have extracted the root filesystem from the priimg partition dump, The firmware-mod-kit availible from here was indispensible, There is also a great guide to firmware extracting here. So I will post a link to download the root filesystem from the brightbox as soon as it uploads to my dropbox.

I'm not a kernel dev so some of the driver stuff I will definetly need help with.

My problem at the moment is that the EE BrightBox is my only router and it's in use most sane hours of the day so it's a little difficult to do anything with it. When I gain SSH access, I can't connect the router to my broadband, or change any of the WiFi settings because my PCs will no longer connect to it. This limits my "playing around" time to more or less after 11pm, at which point I'm just too tired lately!

I noticed your (whitenight639?) thread over on the OpenWRT forums... one thing that occurred to me is that an ADSL driver shouldn't be required for the Fibre-broadband version of the router, correct?

My problem at the moment is that the EE BrightBox is my only router and it's in use most sane hours of the day so it's a little difficult to do anything with it. When I gain SSH access, I can't connect the router to my broadband, or change any of the WiFi settings because my PCs will no longer connect to it. This limits my "playing around" time to more or less after 11pm, at which point I'm just too tired lately!

I noticed your (whitenight639?) thread over on the OpenWRT forums... one thing that occurred to me is that an ADSL driver shouldn't be required for the Fibre-broadband version of the router, correct?

My problem at the moment is that the EE BrightBox is my only router and it's in use most sane hours of the day so it's a little difficult to do anything with it. When I gain SSH access, I can't connect the router to my broadband, or change any of the WiFi settings because my PCs will no longer connect to it. This limits my "playing around" time to more or less after 11pm, at which point I'm just too tired lately!

I noticed your (whitenight639?) thread over on the OpenWRT forums... one thing that occurred to me is that an ADSL driver shouldn't be required for the Fibre-broadband version of the router, correct?

Originally Posted by darth_stroyer

Yeh the kernel in the brightbox is 2.6.30 if i remember rightly and the newer openWRT images are newer kernels so the binary drivers on the original firmware might not work with a newer kernel, and its still going to be hit and miss, the openWRT stuff does not have a working ADSL driver for that cpu, I am not sure how the fibre stuff works, I imagine it still needs a driver, I believe the ethernet, adsl and fibre stuff is all done on "on-chip", its not like theres a seperate chip that handles that stuff that drivers will be availible for (like the wireless).

I do have a spare brightbox I'd send you but I'm so broke right now i cant even afford the postage.

Yeah his offer is also tempting, but I wonder if he might be better offering it to someone with more experience (like on the OpenWRT forums), because I'm fairly new to hacking and I think someone who knows more could get the job done faster.

I did want to donate to your cause, but the best I could offer is some legitimate Microsoft software keys (I have an MSDN subscription). I've got some keys going spare for Windows 7, Vista, or Office 2003 onwards if you want one for your new laptop. Let me know :-)

So it looks like the box is already running OpenWRT. It looks like it even has dnsmasq, which is the main application I want to run with OpenWRT.

I've done a bit of digging and I can see that telnetd is started from /etc/rc.d/S200preApp_init if the config section phase@manuf equals manuf. For the default configuration once you receive the box from EE/Orange/T-Mobile, the value is set to normal.

Naturally, when you back up the configuration, it's encrypted. If we can figure out the encryption then we might be able to change the value from 'normal' to 'manuf', which might let me have normal use of the router whilst having telnet access.

EDIT: looks like config backup/restore is handled by /usr/sbin/util_sys_cli, which is a binary file so no joy on figuring out the encryption. It also looks like the backup.bin spat out by the web interface isn't an encrypted version of those name-value pairs as the backup bin is only 4KB, which means it's probably just a dumped struct with the values.

So it looks like the box is already running OpenWRT. It looks like it even has dnsmasq, which is the main application I want to run with OpenWRT.

Originally Posted by darth_stroyer

I did notice this in another script, I wonder if it is actually openWRT (I thought maybe they'd used some stuff from openWRT) if we could add the opkg package manager so that people would be free to install or uninstall packages it would be really sweet.

I've done a bit of digging and I can see that telnetd is started from /etc/rc.d/S200preApp_init if the config section phase@manuf equals manuf. For the default configuration once you receive the box from EE/Orange/T-Mobile, the value is set to normal.

Naturally, when you back up the configuration, it's encrypted. If we can figure out the encryption then we might be able to change the value from 'normal' to 'manuf', which might let me have normal use of the router whilst having telnet access.

Originally Posted by darth_stroyer

Nice work, So looking at that script it checkes if the config is set to manuf mode, but those config parameters look the same as the TR69 ones i listed before and the script even uses the same command to get the parameter so on a normal box you could run:

/bin/util_ccfg_cli set phase@manuf=manuf

(chech syntax of this against my previous tr69 posts as i havnt tried it, im in a rush atm)

Problem is with my BB it wouldnt drop into root from serial I had to enable manufactory mode to get root to be able to do anything, so for me its a catch 22, others that got root may be able to start telnetd with this and not clicking the hidden button.

Yeah I thought of that too. The problem is, I don't have a plaintext dump of my config before I reset to 'manufatory'. So I can't reset the config.

I discovered something else that's possibly interesting whilst trying to trick the web interface into dumping a plaintext cfg file. The backup button in the settings page runs a JavaScript function called backup_config. This function just opens a new window with the location /etc/config/backup.bin (/etc/config is a symlink for /ramdisk/etc/config). You can download this file without even logging in to the administrator interface.

Perhaps more interesting is the fact that you can write any file name with a .bin extension to get a file. A diff on a made-up file name with a correct backup shows that the made-up file name cuts off after 300 bytes, but both files are identical up until that point. This makes me wonder if the first 300 bytes is a signature and the rest of the file is the actual config. I'd like to try XORing those 300 bytes against the rest of the file, but I'm not sure of a command-line application that could do it.

Yeah his offer is also tempting, but I wonder if he might be better offering it to someone with more experience (like on the OpenWRT forums), because I'm fairly new to hacking and I think someone who knows more could get the job done faster.

I did want to donate to your cause, but the best I could offer is some legitimate Microsoft software keys (I have an MSDN subscription). I've got some keys going spare for Windows 7, Vista, or Office 2003 onwards if you want one for your new laptop. Let me know :-)

Originally Posted by darth_stroyer

Hello

Your offer is extremely generous - I should like to take you up on the offer of some Office keys, for whichever version is most recent, and a couple of Windows 7 keys, if that would be alright?

No im ok thanks mate, I just use linux, and I know how to use torrent sites ;-)

Originally Posted by whitenight639

I use Linux Mint 99% of the time, and I also use Windows - surely it's better to be legal than illegal, especially when someone is offering you a legal way of using the software? Why would you *want* to use illegal keys, when the legal option is free?

I use Linux Mint 99% of the time, and I also use Windows - surely it's better to be legal than illegal, especially when someone is offering you a legal way of using the software? Why would you *want* to use illegal keys, when the legal option is free?

:-/

Originally Posted by unlokia

Basically I don't use any microsoft products, I don't need them and I don't like how Microsoft conducts some of its activities, I would much rather pirate there shizzle than know they have earned money from the keys I'm using.

Basically I don't use any microsoft products, I don't need them and I don't like how Microsoft conducts some of its activities, I would much rather pirate there shizzle than know they have earned money from the keys I'm using.

Originally Posted by whitenight639

I think you're being a little too political about this. I'd rather they earnt some money, than I earnt a jail sentence. hoIf you don't like their products, don't use them - if they're not good enough to buy, they're certainly not good enough to steal... which tells me you actually do like them, since you pirate them

[EDIT]

Anyhow, that's way off topic, and it is also your choice - I am not judging you for using pirated things - I've done so in the past.

I think you're being a little too political about this. I'd rather they earnt some money, than I earnt a jail sentence. hoIf you don't like their products, don't use them - if they're not good enough to buy, they're certainly not good enough to steal... which tells me you actually do like them, since you pirate them

[EDIT]

Anyhow, that's way off topic, and it is also your choice - I am not judging you for using pirated things - I've done so in the past.

Take care

Originally Posted by unlokia

It's not that there good enough to buy or steal its that they are so popular and effectively have the monopoly on the commercial desktop operating system, and there are some situations where you have to use them. you know about bill gates eugenics /vaccination program right? he thinks the world is over populated and is trying to remedy that, check his fraudian slip here: http://www.youtube.com/watch?v=0nLs95gUVY4

not just ol Bill its how microsoft conduct business, they sued HTC and / or samsung over alleged patent infringements to get them to put windows mobile on their phones because android was doing fine. There are numerous examples of shady things Microsoft have done.